Hi Reema - Thanks for looking at this. You can probably build your implementation on top of the html_sanitize function in features/caja/html-sanitizer.js.
Questions answered inline: On Thu, Aug 7, 2008 at 11:58 AM, Reema Sardana <[EMAIL PROTECTED]> wrote: > The reference at > http://opensocial-resources.googlecode.com/svn/spec/0.8/gadgets/util.js does > not give any details on how the HTML is to be sanitized. Whether it should > use a blacklist or a whitelist depends on how much flexibility we want to > give to the gadget. Whitelist, definitely a whitelist. > I was looking at implementing this but I am not sure If I am considering > everything that needs to be taken care of. > > 1. Strip all script tags of the form <script Yes. > 2. Strip tags of the form <a onclick="javascript:alert('foo')">bar</a> Yes. > 3. Applets ? Not allowed, likewise no flash/activex/anything similar. > 4. <div style="width: expression(alert(1))">hello</div> Also not allowed. Another case to be sure to block: <a href='javascript:something()'> Cheers, Brian
